Privacy Policy

Who we are (Controller details)

Entity: "iExperts Academy" ("we", "us", "our")

Privacy contact / DPO contact: [email protected]

Payment processing: We do not store card or bank data here. If this changes, we will name the processor(s) and update this notice.

Scope & audience

This notice covers personal data we process as controller for our website, learning platform, webinars, marketing communications, and support. Where we act as a processor on behalf of an institutional/customer organization (e.g., enterprise portal), our processing is governed by a separate Data Processing Addendum (DPA); this Policy still applies to our role as a service operator but customer instructions take precedence for processor activities.

What we collect (data categories)

We collect only what we need, for the purposes below. Examples include:

• Account & Contact: name, email, hashed password, phone/WhatsApp if you provide it.
• Learning Data: courses enrolled, progress, assessment results, certifications you choose to pursue, preferences.
• Communications: messages sent via forms, email, WhatsApp, webinar Q&A, surveys.
• Device/Usage: IP address, device/browser type, pages viewed, timestamps, referral URLs, approximate location (country/city), cookie IDs.
• Identity/Verification (only if needed for a certification or proctored exam): full name and, if you choose to submit it, an ID image or proctoring telemetry as required by the certifying partner.
• Third‑party sources: providers we use for analytics, email, support, abuse‑prevention may provide limited personal data (e.g., delivery or engagement status, risk signals).

We do not deliberately collect government ID numbers, precise geolocation, health data, or biometrics on this site. If a certification partner requires identity checks, we'll tell you exactly what's required and why.

Why we use data (purposes & legal bases)

We process personal data to:

• Provide the service (create accounts, deliver courses, maintain security).
  Legal bases: performance of contract; legitimate interests (running a secure, reliable platform); legal obligations.
• Support & communicate (answer questions, service notices, operational messages).
  Legal bases: performance of contract; legitimate interests.
• Improve & analyze (usage analytics, debugging, content improvement, capacity planning).
  Legal bases: legitimate interests; consent where cookie laws require it.
• Marketing (newsletters, course updates).
  Legal bases: consent where required (EU/UK, certain Middle‑East regimes); legitimate interests elsewhere. Opt‑out anytime.
• Compliance & protection (fraud/abuse detection, enforce terms, respond to lawful requests).
  Legal bases: legitimate interests; legal obligation; establishment, exercise, or defense of legal claims.
• Certification/Exam checks (optional) when you choose such paths.
  Legal bases: performance of contract; legitimate interests; consent where required by local law.

We do not use your data for fully automated decision‑making with legal or similarly significant effects.

Cookies & similar technologies

We use strictly necessary, preference, and analytics cookies; and marketing tags only if/when used. Where required (EU/UK and several Middle‑East jurisdictions), we obtain consent for non‑essential cookies. You can manage choices via Cookie Settings and your browser. We honor Global Privacy Control (GPC) and similar signals where applicable.

Retention for cookies/analytics: typically 13–24 months, configurable via consent settings.

Industry frameworks: We aim to support recognized consent frameworks (e.g., IAB Europe TCF 2.2) where relevant.

Do not sell or share your information

We do not sell personal information and we do not share it for cross‑context behavioral advertising under the CCPA/CPRA. If that ever changes, we will update this Policy, implement "Do Not Sell/Share" controls, and honor GPC.

Sensitive data

We do not seek sensitive data (e.g., government IDs, precise geolocation, biometrics, health, religious or political beliefs). If identity verification is required for certification/exam integrity, we'll explain why, minimize what we process, restrict access, and delete promptly per the partner's rules.

Children's privacy

Our services are not directed to children.

• Under 13 (US COPPA): we do not knowingly collect data.
• Under 16 (EU/UK and some other jurisdictions): parental/guardian consent is required for any optional processing.

If you believe a child provided data, contact [email protected] for deletion.

How we disclose information (categories & safeguards)

We disclose personal data to:

• Service providers / processors (hosting, email/SMS/WhatsApp communications, analytics, customer support, security/anti‑abuse).
• Certification/exam partners (only when you enroll and only the minimum necessary).
• Professional advisors (auditors, insurers, legal counsel).
• Legal/safety (lawful requests, protecting rights/safety, preventing fraud).
• Corporate transactions (merger, acquisition, restructuring; protections continue).

A current list of key sub‑processors is available on request at [email protected] and will be published on our website.

We require vendors to sign data protection terms, follow least‑privilege access, and meet security baselines. We conduct risk‑based vendor due diligence and monitor material changes.

International transfers

Your data may be processed outside your country. We apply appropriate transfer tools and assessments.

EEA/UK: Where data leaves the EEA/UK, we use the EU Standard Contractual Clauses and/or UK IDTA/Addendum and conduct transfer impact assessments (Schrems II).

UAE/KSA/Qatar/Bahrain/Egypt; DIFC/ADGM: We follow local cross‑border rules (adequacy, registration/consent where required, contractual safeguards, and transfer assessments). Where localization is mandated or preferred, we accommodate via hosting and vendor selection.

Retention schedule (how long we keep data)

We keep personal data only as long as needed for the purposes above, then delete or irreversibly anonymize. Typical periods:

• Account & course records: active use, to be terminated after 30 days of client relationship termination.
• Certificates/awards: 5–7 years (to verify credentials; or longer if a partner mandates).
• Support logs: 24 months.
• Analytics/cookies: per settings, typically 13–24 months max.
• Marketing preferences & consent logs: typically 4–7 years to demonstrate compliance.
• Legal/financial records: 6–10 years depending on jurisdiction in our operations countries.

We may extend retention to preserve evidence in case of disputes, investigations, or to comply with law.

Security (what we actually do)

We apply administrative, technical, and physical safeguards appropriate to risk, including:

• Encryption in transit, hardened hosting, network segmentation where applicable.
• Access controls, least‑privilege, role‑based access.
• Secure development lifecycle, code review, dependency scanning.
• Vulnerability management and patching SLAs; third‑party penetration testing.
• Continuous logging/monitoring; anomaly and abuse detection.
• Vendor risk management and contractual security obligations.
• Staff privacy/security training and confidentiality obligations.

Breach handling: We investigate and, where required, notify regulators and affected users. GDPR/UK: report to the DPA within 72 hours when mandated. Other jurisdictions follow their statutory timelines.

No system is 100% secure—keep your credentials confidential and report issues to [email protected].

Your privacy rights (by region)

We honor all applicable rights and will not discriminate for exercising them.

EU/UK (GDPR/UK GDPR)
Rights to access, rectify, erase, restrict, portability, object, and withdraw consent. You may complain to your local DPA; in the UK, the ICO.

United States (CA/VA/CO/CT/UT/NV and similar)
Rights to access/know, delete, correct, portability; opt‑out of targeted advertising, sale, and certain profiling. We honor GPC as an opt‑out signal where applicable. If we deny a request as permitted by law, we'll explain why and how to appeal.

Middle East (UAE Federal PDPL, KSA PDPL, Qatar, Bahrain, Egypt; DIFC/ADGM)
Rights commonly include access, correction, deletion, objection/withdraw consent, and portability (scope varies). Some jurisdictions require consent for certain processing or transfers; we comply.

How to exercise your rights: email [email protected] with subject "Privacy Request" and include your country/state of residence. We will verify identity using proportionate methods and will not ask for unnecessary data.

Response times: We aim to respond within 30 days (GDPR/UK) and within applicable US/Middle‑East timelines; extensions are communicated if legally permitted.

Marketing choices

• Emails/WhatsApp/SMS: unsubscribe via the message or email [email protected].
• Cookies/ads: adjust via Cookie Settings, your browser, and GPC.

Third‑party links

We may link to third‑party sites. Their privacy practices are governed by their own policies.

Changes to this Policy

We may update this Policy. The Effective date shows the latest version. If changes are material or where the law requires, we will notify you or seek consent.

Data portability

For any information needed or data portability requests, please send to [email protected]

Jurisdictional Addendum (bite‑size but enforceable)

This Annex tightens the screws for GDPR/UK GDPR, US state laws (CPRA et al.), and Middle‑East frameworks (UAE/KSA/Qatar/Bahrain/Egypt; DIFC/ADGM). If there's a conflict with the main Policy, the stricter rule applies.

GDPR / UK GDPR specifics

• Roles: iExperts Academy is controller for website/learning operations; may be processor for enterprise customers.
• Legal bases mapping:
  • Account creation, delivery of courses → Contract (Art 6(1)(b)).
  • Security, fraud prevention, product analytics → Legitimate interests (Art 6(1)(f)); interests balanced against rights; opt‑out honored where required.
  • Marketing emails/SMS/WhatsApp → Consent (Art 6(1)(a)) or soft opt‑in where applicable; always provide an easy opt‑out.
  • Legal compliance (tax, accounting, lawful requests) → Legal obligation (Art 6(1)(c)).
• Special categories: We do not process special category data; if certification identity checks risk touching biometric data, we will avoid biometric templates and treat images as ID documentation only, with strict retention and access controls.
• Data minimization & DPIA: We perform DPIAs for high‑risk initiatives (e.g., proctoring technology, large‑scale tracking).
• International transfers: SCCs (2021) with appropriate TIAs; UK Addendum/IDTA as needed.
• Data subject rights: 1 month (extendable by 2 months for complexity).
• Complaints: Contact the ICO (UK) or your local DPA.

US State Privacy (CPRA, VCDPA, CPA, CTDPA, UCPA, NV, etc.)

• No "sale"/"share": We do not sell/share personal information as defined by CPRA.
• Opt‑out signals: We honor GPC for opt‑out of sale/sharing/targeted ads where recognized.
• Sensitive PI (CPRA): We do not process sensitive PI for inferring characteristics; if ever necessary (e.g., ID for certification), we limit to the specific purpose.
• Verification: Reasonable methods based on account status and request type; we will not disclose more data than necessary to verify.
• Appeals: If a US state law grants an appeal right (e.g., VA/CO/CT), you may appeal; unresolved disputes may be referred to the AG as allowed by law.

Middle‑East (UAE PDPL; KSA PDPL; Qatar; Bahrain; Egypt; DIFC; ADGM)

• Legal bases & consents: We use consent where mandated (e.g., certain marketing/cookie uses), otherwise legitimate interests or contract.
• Registration/localization: Where a regulator requires data controller registration or a local representative, we comply. Where localization is required or recommended (e.g., sectoral rules, KSA hosting preferences), we can provide in‑region hosting/vendor options.
• Cross‑border transfers: We implement contractual safeguards and assessments; obtain consent where law requires explicit consent.
• Breach notification: We follow local timelines/thresholds (e.g., DIFC/ADGM immediate notification in high‑risk cases).

Operational Playbook (how we actually run this)

Data inventory (ROPA excerpt)

• Systems: learning platform, CRM/email tool, support desk, analytics, security tooling.
• Categories: Account, Learning Data, Communications, Device/Usage, Exam Verification (conditional).
• Recipients: sub-processors listed on our site; certification partners (conditional).
• Transfers: EU/UK → global via SCCs/UK Addendum; Middle-East via local rules.

Rights request handling (SOP)

• Intake:[email protected]; log request ID; verify within 5 days.
• Fulfillment: export (portable format), correction, deletion, restriction, objection, opt‑out.
• Deadlines: GDPR/UK 30 days; US states 45 days; extensions documented.
• Appeals (US): separate ticket, decision by privacy lead within 45 days.

Vendor onboarding

• Risk rating (data volume/sensitivity, geography, criticality).
• Contractual controls (DPAs with SCCs/IDTA where relevant).
• Security review (SOC 2/ISO 27001 or equivalent; pen-test summaries).
• Ongoing monitoring (annual attestations, incident notices, change control).

Incident response

• Detect, contain, eradicate, recover; forensic preservation.
• Assess harm/notify per law (GDPR 72h to DPA where required).
• Post‑mortem with corrective actions.

Retention & deletion

• Automated policies per system; quarterly audits; hard‑delete or anonymize.
• Legal hold process for disputes/investigations.

Certification/exam integrity (if used)

• Identity check only when necessary; avoid biometrics; store minimal data; short retention; partner‑mandated controls.

Training & accountability

• Annual privacy/security training for all staff; role‑based modules for engineers and support.
• Internal audits; management reviews; board‑level reporting on key risks and incidents.

Definitions (quick refer)

Controller/Processor, Personal data, Processing, Special category data, Sale/Share (CPRA), Targeted advertising, Profiling, DPIA, SCCs/IDTA — as defined in applicable laws.

Processor role for enterprise customers (summary)

When our customer is the controller and we act as processor:

• We process data only on documented instructions.
• We implement security measures, assist with DPIAs and breach notices, maintain sub‑processor lists and flow‑down obligations, and delete/return data at contract end.
• We enable audits subject to reasonable notice and confidentiality.

Accountability & continuous improvement

This Policy is written so regulators, customers, and users can hold us to it. If you spot a gap, tell us. We'll fix it fast.

Contact

Questions about privacy or your choices?

Privacy: [email protected]

Security: [email protected]

General: [email protected]